Room via Nextcloud -> Scalelite -> BBB does not work

[agru]

Describe the bug
The app works without any problem and I am able to share a started room by URL-sharing, but only if the app is configured to use a BBB-server directly. But with several BBB-servers, load balanced behind a Scalelite-server, it is not possible to enter a started room by URL-sharing.

To Reproduce
Steps to reproduce the behavior:

1. Go to the advanced settings and place there the working URL of a Scalelite-server, that is definitely working, for example with the Moodle-BBB-plugin. Also place the correct secret. The Scalelite-server is configured exactly the same way as if it would be a single BBB-server. That's the nice thing with a Scalelite and normally makes things pretty easy.
2. In the personal settings configure a BBB-room as usual, and as it is working with a single BBB-server.
3. Start the room as owner. That is working without problems!
4. Copy the link to the room, also from the personal settings in Nextcloud (BBB section)
5. Call the URL on an other computer or browser and enter a guest name
6. Submitting the form, expecting you get into the room, as it works with a single BBB server

Expected behavior
After entering a guest-name in the Nextcloud-form, shown using the shared link, then submitting the form, the expected behavior is to then enter the BBB-server / the webinar-room were the already started meeting is running.

System:

• Browser is Chromium 83, or Firefox 76
• App version 0.3.2
• Nextcloud version 18.0.5
• BigBlueButton version 2.2.11 and higher
• BigBlueButton instance is also working with Greenlight without problems
• BBB API url and secret is correctly entered - room owner is able to start the room from within Nextcloud without problems.

Javascript log:
Refused to send form data to 'https://bbb002.ourdomain.de/' because it violates the following Content Security Policy directive: "form-action 'self' https://scale.ourdomain.de".

Additional context
The server scale.ourdomain.de is the Scalelite-server. From there the session is forwarded to the BBB-server bbb002.ourdomain.de where the meeting was placed by Scalelite, and was already started by the room owner.

The URL / the domain of the Nextcloud server is not ourdomain.de, but different, for example mydomain.de. So the overall chain of servers involved is:

1. Nextcloud server on nc.mydomain.de, calling
2. Scalelite server on scale.ourdomain.de, forwarding to
3. one of the BBB servers in the Scalelite pool, for example bbb002.ourdomain.de

[sualko]

Thanks for the nice bug report. The issue is the way chrome handles redirects from forms. The only solution would be to have another forwarding page, which forwards the user via js. So form -> "Welcome foo" -> bbb. I think that would be easy to implement in conjunction with #23, but I'm currently working on other sponsored features. A pull request would very much appreciated.

[lkiesow]

The solution here is probably to just include the BigBlueButton server in Nextcloud's content security policy for form-action.

[joergmschulz]

look here - same site policy issue: https://github.com/ramezrafla/spreed-bigbluebutton/issues/5

[sualko]

We include a custom form-action, but in the case of a loadbalancer this doesn't work, because we don't know every forwarded domain. E.g. There could instances be created on the fly. The only other option, compared to the above, would be to add a wildcard.

[apscherbach]

It possible adjust the form-action policy to the domain? Ex: cloud.domain.abc -> domain.abc.
Congratulations, excelent job!

[sualko]

It possible adjust the form-action policy to the domain?

We could enter a wildcard domain, but this seams more like a hack, because you don't have to use the same domain (even if this is probably most often the case).